ClawHub
Back to skill

Security audit

Skillnote

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent as a self-hosted skill registry, but it grants a configured server ongoing power to update agent instructions, manage local skills, and collect usage metadata.

Install only if you trust the SkillNote backend as much as a package update source for your agent. Before enabling it, review the configured host, disable or remove self-update if you need stable reviewed instructions, be aware that it starts a watcher and sends skill-use metadata, and avoid using the optional curl-to-bash installer unless the backend and transport are trusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exercises file read/write, shell, and network capabilities but does not declare permissions or otherwise narrowly scope them. That gap reduces transparency and makes it harder for users or policy engines to assess risk, especially because the documented behavior includes persistent writes, remote syncing, and command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The advertised purpose is a self-hosted skill registry and feedback collector, but the instructions also introduce self-updating, log monitoring, sidecar instruction grafting, and remote-driven lifecycle management. This mismatch is dangerous because users may consent to a simple sync tool while actually deploying a persistence and telemetry mechanism with code-changing behavior.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill directs modification of AGENTS.md to include a sidecar file that changes future agent behavior, which is a persistence and instruction-injection mechanism beyond simple syncing. Even with user confirmation, this materially alters the runtime trust boundary and could cause future tasks to inherit remote-controlled instructions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented self-update behavior allows the skill package to be reinstalled or overwritten from a remote source, which exceeds the stated role of syncing procedures and collecting feedback. A remote endpoint gaining the ability to change SKILL.md effectively gains control over future agent instructions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic self-update and reinstallation are not necessary for a registry client and create a remote code/instruction modification path. Because the skill governs agent behavior, overwriting local skill files from network responses can become a supply-chain compromise vector.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script's declared purpose is registry sync, but it also performs autonomous self-update by fetching remote version metadata and either invoking `clawhub install ... --yes` or replacing its own local skill content. That gives the remote host control over local behavior without interactive approval, which substantially expands trust and creates a software supply-chain risk.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script starts a background daemon and kills prior matching processes based on command-line inspection, which is behavior beyond simple skill synchronization. Persistent background execution increases attack surface and can be abused for ongoing monitoring or unexpected process control if the watcher or its arguments are compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically extracts session-derived metadata about skill usage and posts it to a configurable remote host, but provides no user-facing consent, notice, authentication guarantees, or transport restrictions. In the context of an agent skill registry, this creates a real privacy and telemetry risk because user behavior and session identifiers can be exfiltrated to arbitrary endpoints if the host is misconfigured or malicious.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Remote content is written into the local skill directory during self-update without any user-facing warning or approval. Because skill files influence agent behavior, silent replacement enables remote policy/instruction changes and reduces the user's ability to audit trust boundaries.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The sync routine removes local `sn-*` directories that are absent from the current remote set, including symlinks and directories, without warning. In a tool that writes under a shared skills path, silent destructive deletion can remove user-relied-on content or be abused by a compromised server to wipe managed material unexpectedly.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The generated sidecar hardcodes agent identity as `main` in telemetry examples, which can misattribute activity in multi-agent environments and undermine audit integrity. While not code execution, it biases reporting and can conceal which agent actually performed an action.

Self-Modification

High
Category
Rogue Agent
Content
---

# Daily self-update check

`sync.sh` does this automatically every 24 hours (tracked via `~/.openclaw/skills/skillnote/.last-version-check`):
Confidence
97% confidence
Finding
self-update

Self-Modification

High
Category
Rogue Agent
Content
- If `clawhub` is on PATH: `clawhub install skillnote@<ver>`
   - Otherwise: overwrite `SKILL.md` + `VERSION` inline from the response

You don't need to do anything for self-updates. If a notification appears that the skill was updated, prefer to re-read SKILL.md before continuing — the steps may have changed.

---
Confidence
98% confidence
Finding
self-update

Session Persistence

Medium
Category
Rogue Agent
Content
## Step 3 — Persist the resolved host (idempotent)

Strip trailing slashes. Write to `~/.openclaw/skills/skillnote/config.json`:

```json
{
Confidence
84% confidence
Finding
Write to `~/.openclaw/skills/skillnote/config.json`: ```json { "host": "<resolved url>", "user_id": "<see below>" } ``` For `user_id`: use your **real OpenClaw agent name** when known (e.g., `ma

Session Persistence

Medium
Category
Rogue Agent
Content
**On user `Y`** — append the line:
```bash
mkdir -p ~/.openclaw/workspace
echo '@include ~/.openclaw/skillnote-agents.md' >> ~/.openclaw/workspace/AGENTS.md
```
Confidence
93% confidence
Finding
mkdir -p ~/.openclaw/workspace echo '@include ~/.openclaw/skillnote-agents.md' >> ~/.openclaw/workspace/AGENTS.md ``` **On user `n`** — write `{"grafted": false}` to `~/.openclaw/skills/skillnote/con

Session Persistence

Medium
Category
Rogue Agent
Content
2. Compare to `~/.openclaw/skills/skillnote/VERSION`
3. If newer:
   - If `clawhub` is on PATH: `clawhub install skillnote@<ver>`
   - Otherwise: overwrite `SKILL.md` + `VERSION` inline from the response

You don't need to do anything for self-updates. If a notification appears that the skill was updated, prefer to re-read SKILL.md before continuing — the steps may have changed.
Confidence
96% confidence
Finding
write `SKILL.md` + `VERSION` inline from the response You don't need to do anything for self-updates. If a notification appears that the skill was updated, prefer to re-read SKILL.md before continuin

External Script Fetching

High
Category
Supply Chain
Content
```bash
   clawhub install skillnote
   ```
2. **curl bundle installer** (works against any reachable SkillNote backend):
   ```bash
   curl -sf $SKILLNOTE_BASE_URL/setup/agent | bash -s -- --agent openclaw
   ```
Confidence
99% confidence
Finding
curl bundle installer** (works against any reachable SkillNote backend): ```bash curl -sf $SKILLNOTE_BASE_URL/setup/agent | bash

Tool Parameter Abuse

High
Category
Tool Misuse
Content
4. **Remove the skill files:**
   - If `clawhub` is on PATH: `clawhub uninstall skillnote`
   - Otherwise: `rm -rf ~/.openclaw/skills/skillnote`
5. **Optional** (frees disk; loses synced skills): `rm -rf ~/.openclaw/skills/sn-*`
6. **Confirm to the user:**
   > SkillNote removed. Daemon stopped, sidecar deleted, skill files removed. One thing left: delete the `@include` line from your AGENTS.md.
Confidence
87% confidence
Finding
rm -rf ~/.openclaw/skills/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
SKILL.md:314